str_replace not working (?)

[llDemonll]

function fCleanString($UserInput){

$UserInput = strip_tags($UserInput);

$UserInput = str_replace("'", "''", $UserInput);

return $UserInput;

}

 

that is a simple function I have set up to strip single apostrophes out of my database entries and replace them with two so it wont break the function.  ever since xfering it over to a new server (php 5, same as the old one) it hasn't been working and has been giving me an error (breaking code right where the apostrophe would be located).  help appreciated, thanks!

[rhodesa]

what kind of errors are you seeing?

 

this is to prep data for a database? double single quotes is a MSsql specific thing...did you switch to a MySql DB by any chance?

[llDemonll]

MySQL 4.1.22 is the server version, both were mysql servers using phpmyadmin

 

and yea, it takes the input from a textbox with $_GET, and runs the function on it and assigns it to a new variable, and that variable is what gets put into the database

 

$strName = fCleanString($_GET['strName']);

 

$strSQL = "UPDATE database SET name='$strName', address='$strAddress', address2='$strAddress2', ....more of these.... WHERE CompanyID='$updateID'";

 

mysql_query($strSQL) or die('Update Insert error: ' . mysql_error());

 

gives the same error for the insert function.

 

the error it's throwing is:

Update Insert error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '8240 Resurrection Drive', address2='', city='Anchorage', state='AK', statefull='' at line 2

 

but its not line 2, its 2xx i think, cuz the update function isnt til a ways down on the page.  as you can see the part where it's breaking is right after the first address insert. this error was copied where $strName was input as Paw Prince', 8240 Resurrection Drive is what $strAddress is, and $strAddress2 is blank

 

tell me if you want a bigger code snippet to look at.

[rhodesa]

as stated...turning single quotes to double single quotes is a MSSQL thing. for MySQL, change your function to:

function fCleanString($UserInput){
return mysql_real_escape_string(strip_tags($UserInput));
}

[llDemonll]

missed that, thought it was a typo.

 

so figured out that function puts a \ in front of \r, \n, \x00, \x1a, ' and '', but now in the database it goes in as Paw Prince\'s, should i just make a function to strip that slash after?

 

seems like stripslashes should be ooutside the real_escape..but then it seems counter-productive

[rhodesa]

you probably have magic_quotes enabled...you should disable them if you can...read up on that here:

http://us.php.net/manual/en/security.magicquotes.disabling.php

 

you can see if they are enabled with:

<?php
  if(get_magic_quotes_gpc())
    print "Magic Quotes Enabled";
  else
    print "Magic Quotes Disabled";
?>

[llDemonll]

sweet read up on that magic quotes thing and fixed it, thanks for all the help

 

problem solved